HoareAsLogicHoare Logic as a Logic

(* $Date: 2014-09-02 10:54:20 -0400 (Tue, 02 Sep 2014) $ *)

RequireExportHoare.

The presentation of Hoare logic in chapter Hoare could be
described as "model-theoretic": the proof rules for each of the
constructors were presented as theorems about the evaluation
behavior of programs, and proofs of program correctness (validity
of Hoare triples) were constructed by combining these theorems
directly in Coq.

Another way of presenting Hoare logic is to define a completely
separate proof system — a set of axioms and inference rules that
talk about commands, Hoare triples, etc. — and then say that a
proof of a Hoare triple is a valid derivation in that logic. We
can do this by giving an inductive definition of valid
derivations in this new logic.

Exercise: 2 stars (hoare_proof_sound)

We can also use Coq's reasoning facilities to prove metatheorems
about Hoare Logic. For example, here are the analogs of two
theorems we saw in chapter Hoare — this time expressed in terms
of the syntax of Hoare Logic derivations (provability) rather than
directly in terms of the semantics of Hoare triples.

The first one says that, for every P and c, the assertion
{{P}}c{{True}} is provable in Hoare Logic. Note that the
proof is more complex than the semantic proof in Hoare: we
actually need to perform an induction over the structure of the
command c.

As a last step, we can show that the set of hoare_proof axioms is
sufficient to prove any true fact about (partial) correctness.
More precisely, any semantic Hoare triple that we can prove can
also be proved from these axioms. Such a set of axioms is said
to be relatively complete.

This proof is inspired by the one at
http://www.ps.uni-saarland.de/courses/sem-ws11/script/Hoare.html

To prove this fact, we'll need to invent some intermediate
assertions using a technical device known as weakest preconditions.
Given a command c and a desired postcondition assertion Q,
the weakest precondition wpcQ is an assertion P such that
{{P}}c{{Q}} holds, and moreover, for any other assertion P',
if {{P'}}c{{Q}} holds then P'→P. We can more directly
define this as follows:

Finally, we might hope that our axiomatic Hoare logic is decidable;
that is, that there is an (terminating) algorithm (a decision procedure)
that can determine whether or not a given Hoare triple is valid (derivable).
But such a decision procedure cannot exist!

Consider the triple {{True}}c{{False}}. This triple is valid
if and only if c is non-terminating. So any algorithm that could
determine validity of arbitrary triples could solve the Halting Problem.

Similarly, the triple {{True}SKIP{{P}} is valid if and only if
∀s,Ps is valid, where P is an arbitrary assertion of Coq's
logic. But it is known that there can be no decision procedure for
this logic.

Overall, this axiomatic style of presentation gives a clearer picture of what it
means to "give a proof in Hoare logic." However, it is not
entirely satisfactory from the point of view of writing down such
proofs in practice: it is quite verbose. The section of chapter
Hoare2 on formalizing decorated programs shows how we can do even
better.